Cyberspace is the battleground of the early 21st century. As cyberattacks have progressed from merely disrupting services to destroying hardware outright, investing in cyber defense has become a priority for private companies and governments alike.
Given the complexities of the physical and electronic networks required for the production and distribution of energy, the energy industry is particularly vulnerable to cyber threats. Yet recent advances in cryptography, such as blockchain technology, may provide a revolutionary answer to the cyber weaknesses of the energy industry in general and critical energy infrastructure in particular.
Cyber threats affect all kinds of industry, yet according to the US Department of Homeland Security, the energy sector faces more cyber attacks than any other. In a survey conducted by TripWire last year, almost 80% of respondents from the oil and gas industry acknowledged an increase in the number of successful cyber-attacks their own organizations had experienced over 2015.
More importantly, 83% of energy security professionals said they were not confident that the organizations they worked for had the ability to detect all cyber-attacks.
These results are hardly surprising. Several high-profile cyberattacks have highlighted the seriousness of the threat. In 2012, Saudi Aramco, one of the world’s largest oil companies, was hit by a sophisticated computer virus that erased the hard drives of 35,000 computers, forcing staff to turn to fax machines and typewriters. In 2015, a hacker group managed to take down an electricity distribution grid in Ukraine, leaving over 200,000 customers in the dark for several hours.
One reason why the energy industry has become a major target for cyberattacks is its use of outdated software. But hardware, too, creates vulnerabilities. Industrial control systems have vastly improved efficiency, yet many were built decades ago and run obsolete security protocols. Yet another problem is the internet: to achieve greater productivity, sensitive systems have been connected to a global network that was designed without security in mind. Today, a simple targeted search engine can uncover hundreds of publicly accessible logins to equipment that is connected to the web.
Of course, the energy industry is trying to tackle these cyber threats. However, a network firewall can be overcome, as can antivirus software. And even disconnecting industrial control systems from the internet does not guarantee security. In short, in cyberspace the offense tends to trump the defense, presenting considerable risks for the energy security of modern societies.
A blockchain is a transparent and permanent database that cannot be corrupted. There is no central administrator or centralized data storage. This way of storing data is tamper-proof
Can this unfavorable balance be changed? One technology suggests that it can: distributed ledger technology – or “blockchain” technology. A major cryptographic innovation, the blockchain radically alters the way data is handled.
To date, most information is stored in centralized databases, meaning that every line of code is located and maintained in one single location. But the problem with centralized data storage systems is obvious: malicious software intruding into the system can tamper with the information and cause irreversible damage. Regular backups can minimize, but not entirely remove, the risk of data loss.
By contrast, blockchains offer decentralized information storage. It is spread and synchronized across many computers. Each block of information includes the hash of the previous block of the blockchain, linking together in a linear sequence. These blocks are shared among many different parties and can only be updated by a consensus of the majority of the participants in the system.
In other words, a blockchain is a transparent and permanent database that cannot be corrupted. There is no central administrator or centralized data storage. This way of storing data is tamper-proof. Malicious actors cannot manipulate it because it does not exist in any single location.
Given the overwhelming success of blockchain technology for money transactions – as evidenced by the success of the Bitcoin cryptocurrency – many companies are now trying to harness its potential for other purposes, from verifying consumers’ identities for new bank accounts to electronic voting.
More importantly, perhaps, in the very near future blockchain technology will also alter the protection of critical energy infrastructure against cyber threats.
Blockchains will not only eliminate code injection attacks, but also help provide tamper-proof computer systems for running all kinds of critical energy infrastructure, including nuclear power plants or oil refineries. Traditional malware attacks against industrial control systems might be rendered obsolete.
Blockchain technology is no panacea. It does not offer total protection. Nor does it absolve companies of the need to take cyber protection more seriously. At least for a while, however, it can help cyber defense to trump cyber offense.
The authors work in the Energy Security Section in NATO’s Emerging Security Challenges Division. They express solely their personal views.